Twitter Logo (Representative Image/PTI)
New York: A vulnerability in Twitter’s software that exposed the potential identity compromise of an unspecified number of unknown account owners last year was exploited by a malicious actor, the social media company said.
It did not confirm reports that data on 5.4 million users had been offered for sale online but said on Friday that users worldwide were affected. The breach is particularly worrisome because many Twitter account owners, including human rights activists, do not reveal their identities in their profiles for security reasons that fear harassment by repressive authorities.
US Naval Academy data security expert Jeff Kosseff tweeted, “Too bad for the many who use pseudonymous Twitter accounts.
The vulnerability allowed someone to determine whether a particular phone number or email address was linked to an existing Twitter account during log-in, thereby exposing the account owner, the company said.
Twitter said it did not know how many users were affected and stressed that no passwords had been exposed. “We can confirm the impact is global,” a Twitter spokesperson said via email. “We cannot definitively determine how many accounts were affected or the location of the account holders.”
Twitter’s acknowledgment in a blog post on Friday followed a report by digital privacy advocacy group Restore Privacy that detailed how data potentially obtained from the vulnerability was being sold on a popular hacking forum for $30,000.
Also Read: Tesla Investors Approve Stock Split; Elon Musk to add factories
A security researcher discovered the flaw in January, reported it to Twitter, and was awarded a $5,000 reward. Twitter said the bug, which was introduced in the June 2021 software update, was immediately fixed.
Twitter said it learned about the data sale on a hacking forum from media reports and “confirmed that a bad actor took advantage of the problem before fixing it”. It said it is directly notifying all account owners it can confirm were affected.
“We are publishing this update because we cannot confirm every account potentially affected and are particularly concerned about people with pseudonymous accounts who may be targeted by states or other actors,” the company said.
Also Read: China Bans US Nancy Pelosi Over Taiwan Visit
They recommend that users trying to hide their identity should not add a publicly known phone number or email address to their Twitter account. “If you are running a Twitter account under a pseudonym, we understand the dangers of such an incident and deeply regret that this has happened,” it said.
The breach came as Twitter was locked in a legal battle with Tesla CEO Elon Musk over its attempt to back out of its previous offer to buy San Francisco-based Twitter for $44 billion.